Solved No boot device after removing System Repair trojan

[cjon]

I have a machine (Windows 7 Pro - 64 bit) that was infected with the Windows Repair trojan. Windows Defender Offline located and removed the offending files, but now the machine refuses to boot. with a No Boot Device error. I've booted from a Win 7 Repair disk and run chkdsk /f and BootRec.exe /fixmbr, and tried /fixboot as well, but /fixmbr didn't help and /fixboot couldn't find a bootable disk. I saw in another thread your recommendation to download and run FRST and ListParts, so here is the output from those:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-02-2013 01
Ran by SYSTEM at 21-02-2013 17:38:52
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10920552 2010-06-22] (Realtek Semiconductor)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [115560 2009-07-08] (Symantec Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKU\Fred\...\Run: [Google Update] "C:\Users\Fred\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-12-18] (Google Inc.)
HKU\Fred\...\Run: [Shop To Win] C:\Program Files (x86)\Shop To Win\ShopToWin.exe [2231808 2012-07-05] (Jackpot Rewards)
HKU\Fred\...\Run: [DW7] "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe" [13102080 2013-02-14] (The Weather Channel)
HKU\Fred\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-11-28] (Google Inc.)
HKU\Fred\...\Policies\system: [DisableTaskMgr] 1
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d\n. ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-07-08] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-07-08] (Symantec Corporation)
2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-06] ()
2 DefaultTabUpdate; "C:\Users\Fred\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe" [107520 2012-11-07] ()
3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2009-07-13] (Symantec Corporation)
2 SmcService; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" [3197256 2009-09-17] (Symantec Corporation)
4 SNAC; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE" [411976 2009-09-17] (Symantec Corporation)
2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [2477304 2009-09-17] (Symantec Corporation)
2 uvnc_service; "C:\Program Files\UltraVNC\WinVNC.exe" -service [2169592 2011-05-18] (UltraVNC)

==================== Drivers (Whitelisted) =====================

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-10-18] (Symantec Corporation)
3 mv2; C:\Windows\System32\Drivers\mv2.sys [12904 2011-12-28] (UVNC BVBA)
3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20121106.032\ENG64.SYS [126112 2012-10-18] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20121106.032\EX64.SYS [2084000 2012-10-18] (Symantec Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [443952 2009-08-25] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [481840 2009-08-25] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2009-08-25] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2011-12-28] (Symantec Corporation)
3 Teefer2; C:\Windows\System32\Drivers\Teefer2.sys [62512 2009-05-27] (Symantec Corporation)
1 WPS; \??\C:\Windows\system32\drivers\wpsdrvnt.sys [52784 2009-09-17] (Symantec Corporation)
3 WpsHelper; C:\Windows\System32\Drivers\WpsHelper.sys [233120 2012-09-30] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-02-21 17:38 - 2013-02-21 17:38 - 00000000 ____D C:\FRST
2013-02-20 20:59 - 2013-02-20 21:28 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-02-19 11:46 - 2013-02-19 11:46 - 00000184 ___AH C:\ProgramData\-XHnASFcJrnlLmYDr
2013-02-19 11:46 - 2013-02-19 11:46 - 00000184 ___AH C:\ProgramData\Application Data\-XHnASFcJrnlLmYDr
2013-02-19 11:46 - 2013-02-19 11:46 - 00000160 ___AH C:\ProgramData\-XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000160 ___AH C:\ProgramData\Application Data\-XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000088 ___AH C:\ProgramData\XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000088 ___AH C:\ProgramData\Application Data\XHnASFcJrnlLmYD
2013-02-14 13:27 - 2013-02-14 13:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2013-02-13 08:32 - 2013-01-04 23:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-13 08:32 - 2013-01-04 23:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-02-13 08:32 - 2013-01-04 23:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-13 08:32 - 2013-01-03 21:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-13 08:31 - 2013-01-07 23:40 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-13 08:31 - 2013-01-07 22:39 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-02-13 08:31 - 2013-01-03 23:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-13 08:31 - 2013-01-03 22:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-02-13 08:31 - 2013-01-03 20:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-02-13 08:31 - 2013-01-03 20:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-02-13 08:31 - 2013-01-03 20:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-02-13 08:31 - 2013-01-03 20:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-02-13 08:31 - 2013-01-03 00:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-13 08:31 - 2013-01-03 00:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2013-02-13 08:31 - 2012-12-20 07:59 - 01492992 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-13 08:31 - 2012-12-20 07:59 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-02-13 08:31 - 2012-12-20 07:59 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-13 08:31 - 2012-12-20 07:56 - 09058304 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-13 08:31 - 2012-12-20 07:56 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-13 08:31 - 2012-12-20 07:55 - 12295168 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-13 08:31 - 2012-12-20 07:55 - 02458112 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-13 08:31 - 2012-12-20 07:55 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-13 08:31 - 2012-12-20 07:55 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-13 08:31 - 2012-12-20 06:53 - 01231872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-02-13 08:31 - 2012-12-20 06:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-02-13 08:31 - 2012-12-20 06:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-02-13 08:31 - 2012-12-20 06:50 - 06030336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-02-13 08:31 - 2012-12-20 06:50 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-02-13 08:31 - 2012-12-20 06:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-02-13 08:31 - 2012-12-20 06:49 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-02-13 08:31 - 2012-12-20 06:49 - 02078208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-02-13 08:31 - 2012-12-20 06:49 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-13 08:31 - 2012-12-20 06:02 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-02-13 08:31 - 2012-12-20 05:20 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-02-12 08:25 - 2013-02-12 08:25 - 15739760 ___AH (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

==================== One Month Modified Files and Folders =======

2013-02-20 21:28 - 2013-02-20 20:59 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-02-20 19:11 - 2011-12-21 12:03 - 00007570 ___AH C:\Windows\setupact.log
2013-02-20 19:11 - 2011-12-06 20:57 - 00000000 ___HD C:\Program Files (x86)\Dell DataSafe Local Backup
2013-02-20 19:11 - 2009-07-13 23:08 - 00032602 ___AH C:\Windows\Tasks\SCHEDLGU.TXT
2013-02-20 19:11 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-02-20 18:45 - 2011-12-06 21:09 - 00000000 ___HD C:\Users\Default\Local Settings\SoftThinks
2013-02-20 18:45 - 2011-12-06 21:09 - 00000000 ___HD C:\Users\Default\Local Settings\Application Data\SoftThinks
2013-02-20 18:45 - 2011-12-06 21:09 - 00000000 ___HD C:\Users\Default\AppData\Local\SoftThinks
2013-02-20 18:45 - 2011-12-06 21:09 - 00000000 ___HD C:\Users\Default User\Local Settings\SoftThinks
2013-02-20 18:45 - 2011-12-06 21:09 - 00000000 ___HD C:\Users\Default User\Local Settings\Application Data\SoftThinks
2013-02-20 18:45 - 2011-12-06 21:09 - 00000000 ___HD C:\Users\Default User\AppData\Local\SoftThinks
2013-02-20 18:45 - 2011-12-06 21:07 - 00000000 ___HD C:\ProgramData\Sonic
2013-02-20 18:45 - 2011-12-06 21:07 - 00000000 ___HD C:\ProgramData\Application Data\Sonic
2013-02-20 18:44 - 2012-11-28 08:18 - 00000890 ___AH C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-02-19 12:06 - 2012-11-07 09:41 - 00000000 ___HD C:\Program Files (x86)\DefaultTab
2013-02-19 12:06 - 2011-12-28 09:38 - 00044312 ___AH C:\Windows\PFRO.log
2013-02-19 12:01 - 2011-12-06 20:42 - 01373248 ___AH C:\Windows\WindowsUpdate.log
2013-02-19 11:46 - 2013-02-19 11:46 - 00000184 ___AH C:\ProgramData\-XHnASFcJrnlLmYDr
2013-02-19 11:46 - 2013-02-19 11:46 - 00000184 ___AH C:\ProgramData\Application Data\-XHnASFcJrnlLmYDr
2013-02-19 11:46 - 2013-02-19 11:46 - 00000160 ___AH C:\ProgramData\-XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000160 ___AH C:\ProgramData\Application Data\-XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000088 ___AH C:\ProgramData\XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000088 ___AH C:\ProgramData\Application Data\XHnASFcJrnlLmYD
2013-02-19 11:44 - 2011-12-18 09:36 - 00000000 ___HD C:\users\Fred
2013-02-19 11:38 - 2011-12-18 10:13 - 00000904 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3336421302-1513359965-3768996753-1000UA.job
2013-02-19 11:33 - 2012-11-28 08:18 - 00000894 ___AH C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-02-19 11:25 - 2012-06-11 07:30 - 00000830 ___AH C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-02-19 08:32 - 2011-12-18 09:43 - 00000422 ___AH C:\Windows\Tasks\SystemToolsDailyTest.job
2013-02-19 08:19 - 2009-07-13 22:45 - 00021088 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-02-19 08:19 - 2009-07-13 22:45 - 00021088 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-02-15 13:38 - 2011-12-18 10:13 - 00000852 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3336421302-1513359965-3768996753-1000Core.job
2013-02-14 13:27 - 2013-02-14 13:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2013-02-14 03:24 - 2011-12-18 09:43 - 00000564 ___AH C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2013-02-14 03:24 - 2009-07-13 22:45 - 00461464 ____A C:\Windows\System32\FNTCACHE.DAT
2013-02-14 03:07 - 2011-12-18 10:55 - 00000000 ___HD C:\ProgramData\Microsoft Help
2013-02-14 03:07 - 2011-12-18 10:55 - 00000000 ___HD C:\ProgramData\Application Data\Microsoft Help
2013-02-14 03:04 - 2011-12-18 11:31 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-02-14 03:02 - 2009-07-13 23:13 - 00799118 ____A C:\Windows\System32\PerfStringBackup.INI
2013-02-12 08:25 - 2013-02-12 08:25 - 15739760 ___AH (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-02-12 08:25 - 2012-06-11 07:30 - 00697712 ___AH (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-02-12 08:25 - 2011-12-28 09:56 - 00074096 ___AH (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-02-06 09:56 - 2012-02-06 13:14 - 00000000 ___HD C:\Scans
2013-02-04 08:29 - 2011-12-18 10:13 - 00002366 ___AH C:\Users\Fred\Desktop\Google Chrome.lnk


ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d\L
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d\U

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3336421302-1513359965-3768996753-1000\$d20b42543cd62e2c101d7729f8f0403d
C:\$Recycle.Bin\S-1-5-21-3336421302-1513359965-3768996753-1000\$d20b42543cd62e2c101d7729f8f0403d\L
C:\$Recycle.Bin\S-1-5-21-3336421302-1513359965-3768996753-1000\$d20b42543cd62e2c101d7729f8f0403d\U

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-31 13:06:10
Restore point made on: 2013-01-08 08:16:10
Restore point made on: 2013-01-11 03:00:51
Restore point made on: 2013-01-16 03:00:22
Restore point made on: 2013-01-24 08:34:03
Restore point made on: 2013-02-04 16:25:33
Restore point made on: 2013-02-12 08:07:30
Restore point made on: 2013-02-14 03:00:27

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3944.44 MB
Available physical RAM: 3366.54 MB
Total Pagefile: 3942.59 MB
Available Pagefile: 3352.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.41 GB) (Free:404.98 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.29 GB) (Free:7.96 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.17 GB) (Free:0 GB) UDF
4 Drive f: (CORSAIR3) (Removable) (Total:7.59 GB) (Free:7.59 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7788 MB 0 B

Partitions of Disk 0:
===============

Disk ID: E22EA511

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 451 GB 14 GB
Partition 4 Primary 10 MB 465 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Disk ID: 012393FA

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7788 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F CORSAIR3 FAT32 Removable 7788 MB Healthy

=========================================================

Last Boot: 2013-02-14 00:29

==================== End Of Log =============================

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 21-02-2013 at 17:43:58
Windows 7 (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 3944.44 MB
Available physical RAM: 3430.11 MB
Total Pagefile: 3942.59 MB
Available Pagefile: 3421.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:451.41 GB) (Free:404.98 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.29 GB) (Free:7.96 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.17 GB) (Free:0 GB) UDF
4 Drive f: (CORSAIR3) (Removable) (Total:7.59 GB) (Free:7.59 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7788 MB 0 B

Partitions of Disk 0:
===============

Disk ID: E22EA511

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 451 GB 14 GB
Partition 4 Primary 10 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 012393FA

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7788 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F CORSAIR3 FAT32 Removable 7788 MB Healthy

======================================================================================================
The boot configuration data store could not be opened.
The system cannot find the file specified.


****** End Of Log ******

I'm pretty sure that Disk 0 Partition 4 shouldn't be there and holds the key, but I'm not sure how to approach fixing it. Before I fire up GPartEd and dump it, I want another opinion.

Thanks,
CJon

 

[Fiery]

You are correct, partition 4 is a TDSS file system, you should delete that with gparted. Also, you'll probably have to do the following:

Open notepad and copy & paste the following:

start
HKU\Fred\...\Policies\system: [DisableTaskMgr] 1
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d\n. ATTENTION! ====> ZeroAccess
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d\L
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d\U
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3336421302-1513359965-3768996753-1000\$d20b42543cd62e2c101d7729f8f0403d
C:\$Recycle.Bin\S-1-5-21-3336421302-1513359965-3768996753-1000\$d20b42543cd62e2c101d7729f8f0403d\L
C:\$Recycle.Bin\S-1-5-21-3336421302-1513359965-3768996753-1000\$d20b42543cd62e2c101d7729f8f0403d\U
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d20b42543cd62e2c101d7729f8f0403d
2013-02-19 11:46 - 2013-02-19 11:46 - 00000184 ___AH C:\ProgramData\-XHnASFcJrnlLmYDr
2013-02-19 11:46 - 2013-02-19 11:46 - 00000184 ___AH C:\ProgramData\Application Data\-XHnASFcJrnlLmYDr
2013-02-19 11:46 - 2013-02-19 11:46 - 00000160 ___AH C:\ProgramData\-XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000160 ___AH C:\ProgramData\Application Data\-XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000088 ___AH C:\ProgramData\XHnASFcJrnlLmYD
2013-02-19 11:46 - 2013-02-19 11:46 - 00000088 ___AH C:\ProgramData\Application Data\XHnASFcJrnlLmYD
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix.

Then do a startup repair and see if you can boot up

 

[cjon]

You are correct, partition 4 is a TDSS file system, you should delete that with gparted. Also, you'll probably have to do the following:

Yep. Dumped partition 4 and then ran the FRST fix and the startup repair. Then had to run Unhide.exe to make the files visible again and move the start menu and desktop items back to their appropriate spots.

All seems good now. I'm currently running a MBAM full scan and will follow with SAS, and if those don't turn up anything, I'm calling it clean. Any other thoughts?

Thanks for your help
CJon

 

[cjon]

Halfway through the MBAM full scan, we've detected several items, so I guess I'm not done yet.

 

[Fiery]

Looking good, sounds like a scan or two would still be needed

 

[cjon]

Looking good, sounds like a scan or two would still be needed

Yep. Malwarebytes found and removed 20 entries and SAS came up clean, except for some cookies. Eset's and Kaspersky's online scanners both came up clean. I decided not to run Combofix.

Turns out the Live Update for their Symantec Enterprise AV is busted and hadn't been updated since November. (Wonder why they were vulnerable...) That is controlled by their netadmin, and I can't fix it. I made 3 passes at removing/installing Live Update, all failures. I'll let the guy who gets paid to take care of the machines do it.

Thanks again for all your help. I was up a stump with the busted boot and thought I was going to have to run the Day 1 image to fix it. I really hate doing that. (But I always make the image...)

Thanks again, CJon

 

[Fiery]

You're welcome